[openssl-dev] s3_clnt.c changes regarding external pre-shared secret seem to break EAP-FAST
Karthikeyan Bhargavan
karthikeyan.bhargavan at inria.fr
Tue Mar 17 18:59:32 UTC 2015
I would be very careful about this code. When we ran our tests on OpenSSL (www.smacktls.com), we found a bunch of issues that were narrowly prevented by a combination of flags (s->hit, SSL3_FLAGS_OK, s->s3->change_cipher_spec).
Let’s carefully test any change here, so we do not re-enable CVE-2014-0224 (Early CCS Attack)
On 17 Mar 2015, at 18:53, Erik Tkal <etksubs at gmail.com> wrote:
> In upgrading from 1.0.1i to 1.0.1l I found an issue in the behaviour of a non-resumed EAP-FAST session.
>
> RFC 4851 indicates that the server can go straight from the serverHello to changeCipherSpec to resume a session but can also fall back to a full handshake. With 1.0.1l the client ends up issuing an unexpected message alert if the server continues with its certificate message.
>
> I traced this to the following change:
>
> Set s->hit when resuming from external pre-shared secret.
>
> https://github.com/openssl/openssl/commit/7b3ba508af5c86afe43e28174aa3c53a0a24f4d9
>
> When processing the serverHello s->tls_session_secret_cb() is called to see if the client has a session secret, and if so the old code would set the flag that a CCS was acceptable at that point. However, the above change now also sets s->hit, which then “requires* that a finished message is expected next, triggering the alert otherwise.
>
> Also, another change is suspect in that the latest code no longer sets the flag that a CCS is acceptable at that point:
>
> Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
>
> https://github.com/openssl/openssl/commit/e94a6c0ede623960728415b68650a595e48f5a43
>
> In order for EAP-FAST to work it seems that if the client does have a tls_session_secret that s->hit must NOT be set since there is no indication in the serverHello as to whether the session_ticket sent by the client is accepted by the server (the sessionTicket extension is not sent by the server in EAP-FAST), and that SSL3_FLAGS_CCS_OK has to be set since the server MAY continue immediately with a changeCipherSpec.
>
> Thanks,
> Erik
>
> ....................................
> Erik Tkal
> etkal at cisco.com
>
> _______________________________________________
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150317/38d2a99c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150317/38d2a99c/attachment-0001.sig>
More information about the openssl-dev
mailing list